By Joey Chen, Chetan Raghuprasad and Alex Karkins.
Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys. Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.…Tag: FIREWALL
Organizations are increasingly turning to cloud computing for IT agility, resilience and scalability. Amazon Web Services (AWS) stands at the forefront of this digital transformation, offering a robust, flexible and cost-effective platform that helps businesses drive growth and innovation.
However, as organizations migrate to the cloud, they face a complex and growing threat landscape of sophisticated and cloud-conscious threat actors.…
We continue covering the activities of the APT group ToddyCat. In our previous article, we described tools for collecting and exfiltrating files (LoFiSe and PcExter). This time, we have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they use to extract it.…
Curated bookmark list categorized by area and event monitoring, person of interest search, corporate profiling, mapping, AI, intelligence analysis, reporting tools, collective tools, cryptocurrency, country specific, verification and fact-checking.
They are broken down into appropriate categories such as:
area and event monitoringperson of interest searchcorporate profilingmappingartificial intelligenceintelligence analysisreporting toolscollective toolscryptocurrencycountry specificverification and fact-checking.…This video presents an enlightening discussion on the advancements in AI-driven cyber defense technologies, specifically focusing on a groundbreaking product introduced by Cisco called “Cisco HyperShield.” Here are the critical insights from the video:
AI in Cybersecurity: The video starts by underscoring the transformative role of AI in cybersecurity, emphasizing that both attackers and defenders are leveraging AI to enhance their capabilities.…“There are too many firewall features available today; I am using Cisco ASA as an example for this firewall topic.” Cisco ASA is a versatile network security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. Cisco ASA is designed to protect networks and ensure secure communications and data transfer.…
Summary
Read More In late 2023, BlackBerry analysts identified a spear-phishing campaign by threat group FIN7 that targeted a large automotive manufacturer based in the United States. FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights. They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries (lolbas).…
Overview
Read More Recently, NSFOCUS CERT detected that Palo Alto Networks issued a security announcement and fixed the command injection vulnerability (CVE-2024-3400) in PAN-OS. Since GlobalProtect gateway or portal configured in PAN-OS does not strictly filter user input, unauthenticated attackers can construct special packets to execute arbitrary code on the firewall with root privileges.…
Summary: Cisco has warned about a surge in brute-force attacks targeting various devices, including VPN services, web application authentication interfaces, and SSH services, since March 18, 2024.
Threat Actor: Unknown | Brute-Force Attacks Victim: Various organizations | Cisco
Key Point :
The attacks have been observed targeting devices such as Cisco Secure Firewall VPN, Checkpoint VPN, Fortinet VPN, SonicWall VPN, RD Web Services, Mikrotik, Draytek, and Ubiquiti.…Summary: Cybersecurity researchers have discovered a new campaign that exploits a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads.
Threat Actor: Unknown | Connect:fun Victim: Unnamed media company | Unnamed media company
Key Point :
A new campaign called Connect:fun is exploiting a critical SQL injection flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads.…
Introduction
Read More Recently, a zero-day command-injection vulnerability, assigned to CVE-2024-3400, was found in the Palo Alto Networks PAN-OS. It was assigned the maximum severity score of 10.0 and can be exploited by an unauthenticated user to run arbitrary commands on the target system with root privileges.
Volexity was the first to identify and report the vulnerability.…
During a threat-hunting exercise, Cisco Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. The results of the investigation have shown that the presence of the malicious code is due to the activity of a rare multi-module virus that’s delivered via the .NET…
Read More Summary: This article discusses the technical analysis of the vulnerability CVE-2024-3400 in Palo Alto Networks’ PAN-OS and the exploitation of this vulnerability by threat actors.
Threat Actor: Operation MidnightEclipse | Operation MidnightEclipse Victim: Palo Alto Networks | Palo Alto Networks
Key Point :
Researchers have discovered a critical command injection vulnerability (CVE-2024-3400) in Palo Alto Networks PAN-OS software, which allows threat actors to execute arbitrary code with root privileges on affected firewalls.…In a new threat briefing, Forescout Research – Vedere Labs details an exploitation campaign targeting organizations running Fortinet’s FortiClient EMS which is vulnerable to CVE-2023-48788. We are designating this campaign Connect:fun because of the use of ScreenConnect and Powerfun as post-exploitation tools – our first-ever named campaign.…
Cisco Talos would like to acknowledge Brandon White of Cisco Talos and Phillip Schafer, Mike Moran, and Becca Lynch of the Duo Security Research team for their research that led to the ,identification of these attacks.
Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.…
Identifier: TRR240401
On March 25, 2024, the U.S. Department of Justice (DoJ) released an indictment of seven hackers associated with APT31, a “hacking group in support of China’s Ministry of State Security” (MSS) which has been active for 14 years. On the same day, the Department of Treasury enacted sanctions on several entities listed in the document.…
Summary: Threat actors are exploiting a zero-day flaw in Palo Alto Networks PAN-OS software to execute arbitrary code with root privileges on the firewall.
Threat Actor: Operation MidnightEclipse | Operation MidnightEclipse Victim: Palo Alto Networks | Palo Alto Networks
Key Point :
Threat actors are exploiting a zero-day vulnerability in Palo Alto Networks PAN-OS software to execute arbitrary code with root privileges on the firewall.…This post is also available in: 日本語 (Japanese)
Executive SummaryThis threat brief is frequently updated as new threat intelligence is available for us to share. The full update log is at the end of this post and offers the fullest account of all changes made.…
On Friday, April 12, Palo Alto Networks published an advisory on CVE-2024-3400, a CVSS 10 zero-day vulnerability in several versions of PAN-OS, the operating system that runs on the company’s firewalls. According to the vendor advisory, if conditions for exploitability are met, the vulnerability may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.…
Threat Actor: Unknown | Unknown Victim: Palo Alto Networks | Palo Alto Networks Price: Not applicable Exfiltrated Data Type: Not applicable
Additional Information:
The vulnerability, designated as CVE-2024-3400, affects Palo Alto Networks’ PAN-OS software, specifically targeting the GlobalProtect feature. The vulnerability allows malicious actors to execute arbitrary code with root privileges on vulnerable firewalls.…